公开(公告)号：US08205252B2

公开(公告)日：2012-06-19

申请号：US11460929

申请日：2006-07-28

申请人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

发明人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

IPC分类号： H04L29/06

CPC分类号： H04L63/1433 ,  H04L12/66 ,  H04L45/74 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2463/146

摘要： Accountability among Autonomous Systems (ASs) in a network ensures reliable identification of various customers within the ASs and provides defensibility against malicious customers within the ASs. In one implementation, reliable identification is achieved by implementing ingress filtering on data packets originating within individual ASs and defensibility is provided by filtering data packets on request. To facilitate on-request filtering, individual ASs are equipped with a Filter Request Server (FRS) to filter data packets from certain customers identified in a filter request. Thus, when a requesting customer makes a filter request against an offending customer, the FRS within the AS to which the offending customer belongs conducts on-request filtering and installs an on-request filter on a first-hop network infrastructure device for the offending customer. Consequently, the first-hop network infrastructure device filters any data packet sent from the offending customer to the requesting customer.

摘要翻译： 网络中的自治系统（AS）的责任确保对AS内各种客户的可靠识别，并为AS内的恶意客户提供防御性。 在一个实现中，通过对源自各个AS的数据分组进行入口过滤来实现可靠的识别，并且通过根据请求过滤数据分组来提供防御性。 为了便于按需请求过滤，单个AS配备了过滤器请求服务器（FRS），用于过滤来自过滤请求中标识的某些客户端的数据包。 因此，当请求客户对违规客户进行过滤请求时，违规客户所属的AS内的FRS进行按需请求过滤，并在违规客户的第一跳网络基础设施设备上安装请求过滤器 。 因此，第一跳网络基础设施设备将从违规客户发送的任何数据包过滤到请求的客户。

公开(公告)号：US09363233B2

公开(公告)日：2016-06-07

申请号：US13526295

申请日：2012-06-18

申请人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

发明人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

IPC分类号： H04L29/06 ,  H04L12/66

CPC分类号： H04L63/1433 ,  H04L12/66 ,  H04L45/74 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2463/146

摘要： In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.

摘要翻译： 在一种DoS攻击中，恶意客户可能会尝试向无辜的客户发送大量的过滤器请求。 在一个实现中，过滤器请求服务器（FRS）可以允许客户针对哪个过滤器请求是对隐含的过滤器请求的指控或停止发送恶意流量提出异议。 如果客户声称无辜，FRS可能会记录客户发送的数据包的目的地址，如果这些过滤请求来自不符合先前已记录的一个或多个目标地址的客户，则会识别并忽略错误过滤器请求 由FRS。

公开(公告)号：US20120260336A1

公开(公告)日：2012-10-11

申请号：US13526295

申请日：2012-06-18

申请人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

发明人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

IPC分类号： G06F21/00

CPC分类号： H04L63/1433 ,  H04L12/66 ,  H04L45/74 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2463/146

摘要： In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.

摘要翻译： 在一种DoS攻击中，恶意客户可能会尝试向无辜的客户发送大量的过滤器请求。 在一个实现中，过滤器请求服务器（FRS）可以允许客户针对哪个过滤器请求是对隐含的过滤器请求的指控或停止发送恶意流量提出异议。 如果客户声称无辜，FRS可能会记录客户发送的数据包的目的地址，如果这些过滤请求来自不符合先前已记录的一个或多个目标地址的客户，则会识别并忽略错误过滤器请求 由FRS。

公开(公告)号：US20080027942A1

公开(公告)日：2008-01-31

申请号：US11460929

申请日：2006-07-28

申请人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

发明人： Daniel R. Simon ,  Sharad Agarwal ,  David A. Maltz

IPC分类号： G06F17/30

CPC分类号： H04L63/1433 ,  H04L12/66 ,  H04L45/74 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0263 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1458 ,  H04L2463/146

摘要： Accountability among Autonomous Systems (ASs) in a network ensures reliable identification of various customers within the ASs and provides defensibility against malicious customers within the ASs. In one implementation, reliable identification is achieved by implementing ingress filtering on data packets originating within individual ASs and defensibility is provided by filtering data packets on request. To facilitate on-request filtering, individual ASs are equipped with a Filter Request Server (FRS) to filter data packets from certain customers identified in a filter request. Thus, when a requesting customer makes a filter request against an offending customer, the FRS within the AS to which the offending customer belongs conducts on-request filtering and installs an on-request filter on a first-hop network infrastructure device for the offending customer. Consequently, the first-hop network infrastructure device filters any data packet sent from the offending customer to the requesting customer.

摘要翻译： 网络中的自治系统（AS）的责任确保对AS内各种客户的可靠识别，并为AS内的恶意客户提供防御性。 在一个实现中，通过对源自各个AS的数据分组进行入口过滤来实现可靠的识别，并且通过根据请求过滤数据分组来提供防御性。 为了便于按需请求过滤，单个AS配备了过滤器请求服务器（FRS），用于过滤来自过滤请求中标识的某些客户端的数据包。 因此，当请求客户对违规客户进行过滤请求时，违规客户所属的AS内的FRS进行按需请求过滤，并在违规客户的第一跳网络基础设施设备上安装请求过滤器 。 因此，第一跳网络基础设施设备将从违规客户发送的任何数据包过滤到请求的客户。

公开(公告)号：US08898292B2

公开(公告)日：2014-11-25

申请号：US13219581

申请日：2011-08-26

申请人： Cheng Huang ,  David A. Maltz ,  Jin Li ,  Ming Zhang ,  Chao Zhang ,  Keith W. Ross

发明人： Cheng Huang ,  David A. Maltz ,  Jin Li ,  Ming Zhang ,  Chao Zhang ,  Keith W. Ross

IPC分类号： G06F15/173 ,  H04L29/06 ,  H04L29/12

CPC分类号： H04L61/1511 ,  H04L63/12 ,  H04L63/1408 ,  H04L2463/146

摘要： A plurality of network addresses from a distributed client is obtained, at least a first portion of the obtained network addresses including resolved network address responses to distributed client requests for resolved network addresses corresponding to one or more network location indicators associated with a first web service. Test content is obtained, based on one or more of the network addresses included in the first portion. It is determined whether the obtained test content includes unauthorized content.

摘要翻译： 获得来自分布式客户端的多个网络地址，所获得的网络地址的至少第一部分包括对分配的客户端请求的分辨的网络地址响应，所述解析的网络地址对应于与第一web服务相关联的一个或多个网络位置指示符。 基于包括在第一部分中的一个或多个网络地址获得测试内容。 确定所获得的测试内容是否包括未授权的内容。

公开(公告)号：US20130346465A1

公开(公告)日：2013-12-26

申请号：US13530036

申请日：2012-06-21

申请人： David A. Maltz ,  Parveen Patel ,  Albert G. Greenberg ,  Srikanth Kandula ,  Nick Holt ,  Randall Friend Kern

发明人： David A. Maltz ,  Parveen Patel ,  Albert G. Greenberg ,  Srikanth Kandula ,  Nick Holt ,  Randall Friend Kern

IPC分类号： G06F15/16

CPC分类号： G06F9/5072 ,  G06F2209/509

摘要： A management service that receives requests for the cloud computing environment to host applications, and improves performance of the application using an edge server. In response to the original request, the management service allocates the application to run on an origin data center, evaluates the application by evaluating at least one of the application properties designated by an application code author or provider, or the application performance, and uses an edge server to improve performance of the application in response to evaluating the application. For instance, a portion of application code may be offloaded to run on the edge data center, a portion of application data may be cached at the edge data center, or the edge server may add functionality to the application.

摘要翻译： 接收云计算环境的请求以托管应用程序的管理服务，并使用边缘服务器提高应用程序的性能。 响应于原始请求，管理服务分配应用程序在原始数据中心上运行，通过评估应用程序代码作者或提供者指定的应用程序属性或应用程序性能中的至少一个来评估应用程序，并使用 边缘服务器，以提高应用程序的性能以响应评估应用程序。 例如，应用代码的一部分可以被卸载以在边缘数据中心上运行，一部分应用数据可以被缓存在边缘数据中心，或者边缘服务器可以向应用添加功能。

公开(公告)号：US20130343399A1

公开(公告)日：2013-12-26

申请号：US13529747

申请日：2012-06-21

申请人： Srikanth Kandula ,  Changhoon Kim ,  Alireza Dabagh ,  Deepak Bansal ,  David A. Maltz

发明人： Srikanth Kandula ,  Changhoon Kim ,  Alireza Dabagh ,  Deepak Bansal ,  David A. Maltz

IPC分类号： H04L12/56

CPC分类号： G06F9/5077 ,  G06F9/45533 ,  H04L41/0893 ,  H04L45/38 ,  H04L45/586 ,  H04L49/70 ,  H04L49/90 ,  H04L49/9068

摘要： The present invention extends to methods, systems, and computer program products for offloading virtual machine flows to physical queues. A computer system executes one or more virtual machines, and programs a physical network device with one or more rules that manage network traffic for the virtual machines. The computer system also programs the network device to manage network traffic using the rules. In particular, the network device is programmed to determine availability of one or more physical queues at the network device that are usable for processing network flows for the virtual machines. The network device is also programmed to identify network flows for the virtual machines, including identifying characteristics of each network flow. The network device is also programmed to, based on the characteristics of the network flows and based on the rules, assign one or more of the network flows to at least one of the physical queues.

摘要翻译： 本发明扩展到用于将虚拟机流卸载到物理队列的方法，系统和计算机程序产品。 计算机系统执行一个或多个虚拟机，并且利用管理虚拟机的网络流量的一个或多个规则对物理网络设备进行编程。 计算机系统还使用规则对网络设备进行编程以管理网络流量。 特别地，网络设备被编程为确定在网络设备处可用于处理虚拟机的网络流的一个或多个物理队列的可用性。 网络设备也被编程为识别虚拟机的网络流，包括识别每个网络流的特征。 网络设备还被编程为基于网络流的特征并且基于规则，将一个或多个网络流分配给至少一个物理队列。

公开(公告)号：US08422395B2

公开(公告)日：2013-04-16

申请号：US12242775

申请日：2008-09-30

申请人： Albert Greenberg ,  David A. Maltz ,  Parantap Lahiri ,  Parveen K. Patel ,  Sudipta Sengupta

发明人： Albert Greenberg ,  David A. Maltz ,  Parantap Lahiri ,  Parveen K. Patel ,  Sudipta Sengupta

IPC分类号： H04L12/26 ,  G01R31/08

CPC分类号： H04L45/00 ,  H04L12/1863 ,  H04L45/16 ,  H04L45/22 ,  H04L45/28 ,  H04L45/38 ,  H04L45/745 ,  H04L47/125 ,  H04L47/15

摘要： Exemplary methods, systems, and computer program products describe selecting a gateway based on health and performance information of a plurality of gateways. The techniques describe gateways advertising health and performance information, computing devices creating a table of this health and performance information, and selecting a gateway using the table. In response to changes in the health and performance information, the computing device may select a different gateway. The process allows network traffic load to be distributed across a plurality of gateways. This process further provides resilience by allowing a plurality of active gateways to substitute for a non-functioning gateway.

摘要翻译： 描述了基于多个网关的健康和性能信息来选择网关的示例性方法，系统和计算机程序产品。 这些技术描述了网关广告健康和性能信息，计算设备创建这种健康和性能信息的表格，以及使用该表选择网关。 响应于健康和性能信息的变化，计算设备可以选择不同的网关。 该过程允许网络流量负载分布在多个网关上。 该过程通过允许多个活动网关来替代不起作用的网关进一步提供弹性。

公开(公告)号：US20120155468A1

公开(公告)日：2012-06-21

申请号：US12973914

申请日：2010-12-21

申请人： Albert Gordon Greenberg ,  Changhoon Kim ,  David A. Maltz ,  Jitendra Dattatraya Padhye ,  Murari Sridharan ,  Bo Tan

发明人： Albert Gordon Greenberg ,  Changhoon Kim ,  David A. Maltz ,  Jitendra Dattatraya Padhye ,  Murari Sridharan ,  Bo Tan

IPC分类号： H04L12/56

CPC分类号： H04L45/24 ,  H04L47/193 ,  H04L69/14 ,  H04L69/163 ,  H04L69/22

摘要： Various technologies related to multi-path communications in a data center environment are described herein. Network infrastructure devices communicate traffic flows amongst one another, wherein a traffic flow includes a plurality of data packets intended for a particular recipient computing device that are desirably transmitted and received in a certain sequence. Indications that data packets in the traffic flow have been received outside of the certain sequence are processed in a manner to prevent a network infrastructure device from retransmitting a particular data packet.

摘要翻译： 本文描述了与数据中心环境中的多路径通信相关的各种技术。 网络基础设施设备将业务流彼此通信，其中业务流包括期望以特定顺序发送和接收的特定接收方计算设备的多个数据分组。 处理业务流中的数据分组已经被接收到特定序列之外的指示以防止网络基础设施设备重传特定数据分组的方式进行处理。

公开(公告)号：US20110317554A1

公开(公告)日：2011-12-29

申请号：US12824989

申请日：2010-06-28

申请人： Albert Greenberg ,  David A. Maltz ,  Parveen K. Patel ,  Lihua Yuan

发明人： Albert Greenberg ,  David A. Maltz ,  Parveen K. Patel ,  Lihua Yuan

IPC分类号： H04L12/56 ,  H04L12/24

CPC分类号： H04L61/2517 ,  H04L29/12367 ,  H04L29/12377 ,  H04L29/12396 ,  H04L61/2514 ,  H04L61/2525

摘要： A method of enabling an electronic privately addressable source to be publicly addressable starts at a receiver where an electronic message is received. It is communicated from a sender with a private address outside a subnet of the receiver through a translator. The translator retrieves a lease to at least one of a public address or a port from a lease manager, translates the private address and the private port into a public address and a public port and communicates identifying data such as the public address and the public port to the receiver. If a response is communicated to the private sender, the response may be communicated to the private sender through the network. The public address and the public port on the message may be translated to the private address and the port of the private sender and the private address and the private port may be used to properly route the response to the private sender.

摘要翻译： 使电子私密寻址源能够公开寻址的方法从接收电子消息的接收机开始。 通过翻译器从接收者的子网外的私人地址的发送者传送。 翻译人员从租赁经理向至少一个公共地址或港口检索租约，将私人地址和专用端口转换为公共地址和公共端口，并传达公共地址和公共端口等识别数据 到接收器。 如果将响应传达给私人发送者，则该响应可以通过网络传送给私人发送者。 消息上的公共地址和公共端口可以被转换为专用地址，并且专用发送者的端口和专用地址以及专用端口可以用于将响应正确地路由到私人发送者。